MineMeld Articles

Featured Article
The syslog miner can be used to extract indicators from logs coming from Palo Alto Networks next-generation firewall platforms.   1. Adding a syslog Miner   In CONFIG, click on the browse prototypes button and select the stdlib.syslogMiner prototype.     Inside the prototype, click on CLONE to create a new node based on the prototype.     2. Configuring the Miner   Specify a name for the new Miner, enable the OUTPUT and click OK     3. Connecting the Miner     Connect the new Miner to the inboundaggregator.     And press COMMIT.   3. Configuring syslog forwarding on PAN-OS   Please refer to the PAN-OS Administration Guide for instructions on how to configure log forwarding to a syslog server on PAN-OS (Software End-of-Life (EoL)). By defeault the syslog server on the VM listens for PAN-OS syslog messages on port tcp/13514.     4. Checking if syslog messages are received   In NODES, click on the new syslog Miner and select the STATS tab. Check the SYSLOG.PROCESSED metric, this counter is incremented every time the Miner receives a syslog message.     Log format A full list of parameters can be found in the following python script: https://gist.github.com/jtschichold/87f59b99d98c8eac1da5    Traffic logs { "src_zone": "Tap", "protocol": "tcp", "src_translated_port": "0", "dest_translated_ip": "", "app": "incomplete", "src_translated_ip": "", "log_subtype": "end", "dest_zone": "Tap", "bytes_in": "0", "generated_time": "2014/05/13 16:14:29", "serial_number": "007201000291", "type": "TRAFFIC", "action_flags": "0x8000000000000000", "packets_out": "1", "event.tags": [ "TRAFFIC", "TRAFFIC_FIELDS_6_0" ], "receive_time": "2014/05/13 16:14:29", "start_time": "2014/05/13 16:14:24", "virtual_system": "vsys1", "src_location": "US", "future_use1": "Apr 30 00:25:26 1", "future_use2": "1", "future_use3": "2014/05/13 16:14:29", "future_use4": "0", "future_use5": "0", "log_forwarding_profile": "to Panorama", "bytes": "62", "packets_in": "0", "sequence_number": "259937194", "rule": "Allow-All", "duration": "0", "repeat_count": "1", "dest_interface": "ethernet1/1", "dest_port": "9191", "category": "any", "src_port": "55869", "src_ip": "", "dest_user": "pancademo\\jason.bringanti", "bytes_out": "62", "dest_ip": "", "src_user": "", "src_interface": "ethernet1/1", "packets": "1", "session_id": "74404", "dest_translated_port": "0", "dest_location": "", "flags": "0x64", "action": "allow" }   Threat logs { "src_zone": "Tap", "protocol": "tcp", "src_translated_port": "0", "dest_translated_ip": "", "app": "imap", "misc": "Rjf4TBoDBs389u.Emf", "src_translated_ip": "", "log_subtype": "vulnerability", "dest_zone": "Tap", "generated_time": "2014/05/13 06:55:16", "serial_number": "007201000291", "type": "THREAT", "action_flags": "0x8000000000000000", "direction": "server-to-client", "event.tags": [ "THREAT", "THREAT_FIELDS_6_0" ], "receive_time": "2014/05/13 06:55:16", "content_type": "", "virtual_system": "vsys1", "src_location": "", "future_use1": "Mar 16 03:23:08 1", "future_use2": "1", "future_use3": "2014/05/13 06:55:16", "future_use4": "0", "src_user": "pancademo\\fausto.allen", "dest_translated_port": "0", "sequence_number": "1525703173", "threat_name": "Microsoft Windows Image Color Management Remote Code Execution Vulnerability(31720)", "rule": "Allow-All", "repeat_count": "1", "dest_interface": "ethernet1/1", "dest_port": "42913", "category": "any", "src_port": "143", "severity": "critical", "src_ip": "", "dest_user": "", "dest_ip": "", "log_forwarding_profile": "to Panorama", "url_idx": "", "src_interface": "ethernet1/1", "pcap_id": "1199806114522039943", "cloud_address": "", "session_id": "190977", "dest_location": "US", "flags": "0x80000000", "action": "alert" }   Under the Hood The following diagram depicts the message flow.   Syslog messages are received by the rsyslog deamon running on the VM. Rsyslog translates the messages into JSON and sends them to the syslog miner node inside the MineMeld engine.
View full article
lmori ‎06-28-2019 10:17 AM
9 Replies
Ask Questions Get Answers Join the Live Community